From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: "Philippe Mathieu-Daudé" <f4bug@amsat.org>, qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Prasad J Pandit <pjp@fedoraproject.org>,
qemu-block@nongnu.org, 1880822@bugs.launchpad.net,
Alexander Bulekov <alxndr@bu.edu>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v2] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid
Date: Fri, 5 Jun 2020 10:34:17 +0200 [thread overview]
Message-ID: <057b7d37-204f-32e1-3548-5e51def423a2@redhat.com> (raw)
In-Reply-To: <20200604182502.24228-1-f4bug@amsat.org>
On 6/4/20 8:25 PM, Philippe Mathieu-Daudé wrote:
> Avoid OOB access by verifying the requested address belong to
> the actual card size. Return ADDRESS_ERROR when not in range.
> Only move the state machine to ReceivingData if there is no
> pending error.
>
> "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
>
> 4.3.4 Data Write
>
> * Block Write
>
> Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
> occurred and no data transfer is performed.
>
> Fixes: CVE-2020-13253
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
While the reproducer triggers the OOB via CMD24, other commands have the
same problem, so I'll post a v3.
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: Prasad J Pandit <pjp@fedoraproject.org>
>
> v2: check for blksz in range, only go to sd_receivingdata_state
> if no error.
> ---
> hw/sd/sd.c | 17 +++++++++--------
> 1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 3c06a0ac6d..2254dc7acc 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1211,17 +1211,18 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
> /* Writing in SPI mode not implemented. */
> if (sd->spi)
> break;
> - sd->state = sd_receivingdata_state;
> - sd->data_start = addr;
> - sd->data_offset = 0;
> - sd->blk_written = 0;
> -
> - if (sd->data_start + sd->blk_len > sd->size)
> + if (addr + sd->blk_len >= sd->size) {
> sd->card_status |= ADDRESS_ERROR;
> - if (sd_wp_addr(sd, sd->data_start))
> + } else if (sd_wp_addr(sd, sd->data_start)) {
> sd->card_status |= WP_VIOLATION;
> - if (sd->csd[14] & 0x30)
> + } else if (sd->csd[14] & 0x30) {
> sd->card_status |= WP_VIOLATION;
> + } else {
> + sd->state = sd_receivingdata_state;
> + sd->data_start = addr;
> + sd->data_offset = 0;
> + sd->blk_written = 0;
> + }
> return sd_r1;
>
> default:
>
WARNING: multiple messages have this Message-ID (diff)
From: "Philippe Mathieu-Daudé" <1880822@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1880822] Re: [PATCH v2] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid
Date: Fri, 05 Jun 2020 08:34:17 -0000 [thread overview]
Message-ID: <057b7d37-204f-32e1-3548-5e51def423a2@redhat.com> (raw)
Message-ID: <20200605083417.0PVL7aA4Tb-ZGo8aCmiGTqD2k8HPfG5yrdkt_Rd5Y0M@z> (raw)
In-Reply-To: 20200604182502.24228-1-f4bug@amsat.org
On 6/4/20 8:25 PM, Philippe Mathieu-Daudé wrote:
> Avoid OOB access by verifying the requested address belong to
> the actual card size. Return ADDRESS_ERROR when not in range.
> Only move the state machine to ReceivingData if there is no
> pending error.
>
> "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
>
> 4.3.4 Data Write
>
> * Block Write
>
> Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
> occurred and no data transfer is performed.
>
> Fixes: CVE-2020-13253
> Reported-by: Alexander Bulekov <alxndr@bu.edu>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
While the reproducer triggers the OOB via CMD24, other commands have the
same problem, so I'll post a v3.
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
> Cc: Prasad J Pandit <pjp@fedoraproject.org>
>
> v2: check for blksz in range, only go to sd_receivingdata_state
> if no error.
> ---
> hw/sd/sd.c | 17 +++++++++--------
> 1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 3c06a0ac6d..2254dc7acc 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1211,17 +1211,18 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
> /* Writing in SPI mode not implemented. */
> if (sd->spi)
> break;
> - sd->state = sd_receivingdata_state;
> - sd->data_start = addr;
> - sd->data_offset = 0;
> - sd->blk_written = 0;
> -
> - if (sd->data_start + sd->blk_len > sd->size)
> + if (addr + sd->blk_len >= sd->size) {
> sd->card_status |= ADDRESS_ERROR;
> - if (sd_wp_addr(sd, sd->data_start))
> + } else if (sd_wp_addr(sd, sd->data_start)) {
> sd->card_status |= WP_VIOLATION;
> - if (sd->csd[14] & 0x30)
> + } else if (sd->csd[14] & 0x30) {
> sd->card_status |= WP_VIOLATION;
> + } else {
> + sd->state = sd_receivingdata_state;
> + sd->data_start = addr;
> + sd->data_offset = 0;
> + sd->blk_written = 0;
> + }
> return sd_r1;
>
> default:
>
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1880822
Title:
CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in
DoS
Status in QEMU:
Confirmed
Bug description:
An out-of-bounds read access issue was found in the SD Memory Card
emulator of the QEMU. It occurs while performing block write commands
via sdhci_write(), if a guest user has sent 'address' which is OOB of
's->wp_groups'. A guest user/process may use this flaw to crash the
QEMU process resulting in DoS.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1880822/+subscriptions
next prev parent reply other threads:[~2020-06-05 8:36 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-27 7:10 [Bug 1880822] [NEW] CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS P J P
2020-05-27 7:15 ` [Bug 1880822] " P J P
2020-05-27 7:18 ` P J P
2020-05-27 7:28 ` Philippe Mathieu-Daudé
2020-06-04 15:02 ` Philippe Mathieu-Daudé
2020-06-04 17:34 ` [PATCH] hw/sd/sdcard: Verify CMD24 (Block Write) address is valid Philippe Mathieu-Daudé
2020-06-04 17:34 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-06-04 18:03 ` Paolo Bonzini
2020-06-04 18:20 ` Philippe Mathieu-Daudé
2020-06-04 18:20 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-06-04 18:25 ` [PATCH v2] " Philippe Mathieu-Daudé
2020-06-04 18:25 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-06-05 8:34 ` Philippe Mathieu-Daudé [this message]
2020-06-05 8:34 ` [Bug 1880822] " Philippe Mathieu-Daudé
2020-06-05 11:12 ` [Bug 1880822] Re: CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS Philippe Mathieu-Daudé
2020-07-16 15:53 ` Philippe Mathieu-Daudé
2020-08-20 14:41 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=057b7d37-204f-32e1-3548-5e51def423a2@redhat.com \
--to=philmd@redhat.com \
--cc=1880822@bugs.launchpad.net \
--cc=alxndr@bu.edu \
--cc=f4bug@amsat.org \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pjp@fedoraproject.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).